diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-06-01 19:09:31 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-06-01 19:21:10 +0200 |
commit | 818f7dded9c9e8a89a2de98801425536180ae307 (patch) | |
tree | 602ef65d5cd1b19e9b9777b9dbbd6c7acdacb0a5 | |
parent | 3835de19fe5773baac5b79f35484d0f0e99bcfe1 (diff) |
evaluate: reset ctx->set after set interval evaluation
Otherwise bogus error reports on set datatype mismatch might occur, such as:
Error: datatype mismatch, expected Internet protocol, expression has type IPv4 address
meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
~~~~~~~~~~~~ ^^^^^^^^^^^^
with an unrelated set declaration.
table ip test {
set set_with_interval {
type ipv4_addr
flags interval
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
}
}
This bug has been introduced in the evaluation step.
Reported-by: Roman Petrov <nwhisper@gmail.com>
Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge)"
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/evaluate.c | 10 | ||||
-rw-r--r-- | tests/shell/testcases/sets/dumps/set_eval_0.nft | 11 | ||||
-rwxr-xr-x | tests/shell/testcases/sets/set_eval_0 | 17 |
3 files changed, 34 insertions, 4 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 1447a4c2..82bf1311 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -4005,8 +4005,9 @@ static int setelem_evaluate(struct eval_ctx *ctx, struct cmd *cmd) cmd->elem.set = set_get(set); if (set_is_interval(ctx->set->flags) && - !(set->flags & NFT_SET_CONCAT)) - return interval_set_eval(ctx, ctx->set, cmd->expr); + !(set->flags & NFT_SET_CONCAT) && + interval_set_eval(ctx, ctx->set, cmd->expr) < 0) + return -1; ctx->set = NULL; @@ -4184,8 +4185,9 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) } if (set_is_interval(ctx->set->flags) && - !(ctx->set->flags & NFT_SET_CONCAT)) - return interval_set_eval(ctx, ctx->set, set->init); + !(ctx->set->flags & NFT_SET_CONCAT) && + interval_set_eval(ctx, ctx->set, set->init) < 0) + return -1; ctx->set = NULL; diff --git a/tests/shell/testcases/sets/dumps/set_eval_0.nft b/tests/shell/testcases/sets/dumps/set_eval_0.nft new file mode 100644 index 00000000..a45462b8 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/set_eval_0.nft @@ -0,0 +1,11 @@ +table ip nat { + set set_with_interval { + type ipv4_addr + flags interval + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1 + } +} diff --git a/tests/shell/testcases/sets/set_eval_0 b/tests/shell/testcases/sets/set_eval_0 new file mode 100755 index 00000000..82b6d3bc --- /dev/null +++ b/tests/shell/testcases/sets/set_eval_0 @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +RULESET="table ip nat { + set set_with_interval { + type ipv4_addr + flags interval + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1 + } +}" + +$NFT -f - <<< $RULESET |